Record Keeping in the Cloud

Cloud Software

Claimed Users

Xero

371,000 plus

LinkedIn

260 million plus

Dropbox

300 million plus

Google – Email

500 million plus

Increasingly, we are using the Cloud to create, manage and store documents, such as through Xero, LinkedIn, Dropbox and Google. However, the Cloud is unique in that control of the documents passes outside of your physical possession and onto someone else's computer, which is often overseas.  

Consequentially, there are several issues that a business owner needs to be aware of. 

- How secure is your data and how much control do you have over it once it is in the Cloud?

Often, you will have no idea where the data is stored, you have no idea how the supplier is protecting your data, and occasionally, there is no ability for you to produce a back-up of the data you have stored in the Cloud.

Issues can ultimately arise, for example, when a local or overseas regulatory authority seizes servers containing your data (think Kim Dotcom and Megaupload), an employee emails a client database stored in the Cloud to the wrong party, where your provider goes bust (think Nirvanix), where your provider is hacked (think JP Morgan Chase), and when you are trying to recover that deleted document.

- What happens if your service provider ceases to provide the Cloud service?

The internet has seen large numbers of businesses bomb, such as webvan, eToys, Kiko and Wesale (have you heard of them?!!!!).  The question therefore ultimately becomes, can you easily export your data to another comparable service for ongoing use, and is there another comparable service?

- Do you retain ownership of your data once it is in the Cloud?

This is about you retaining ownership of your documents, and it has been well publicised by the media.  There have been arguments over who owns the data when you use Google or Facebook, for example.  Can someone else use your emailed photograph in an advertisement? Ownership of your Xero account may correspondingly be with your accountant, not you. With the cost of legal action, possession may ultimately be nine tenths of the law. 

- Can you check who has viewed or altered your data in the Cloud?

This is about confirming who did what and when with your documents.  Particularly with financial information, there should be some form of audit trail available to confirm who, for example, created an invoice or payment through internet banking. Does your software allow this, or do you need to purchase tracking software and retain backups of core documents? 

- Are you complying with legal requirements when storing documents in the Cloud?

Generally speaking, you are legally required to store and produce documents in an easily accessible form for seven years under, for example, sections 145, 189 and 190 of the Companies Act 1993.  However, we often find ourselves deleting documents within six months to fit within size restrictions set by our IT administrator.  This may include expense invoices in support of your income tax return, which may come back and bite you if the Inland Revenue Department comes knocking.

Directors and employees also have a legal duty to restrict external access to company information to protect against, for example, insider trading or industrial espionage.  Are you inadvertently or accidentally sharing material company information with suppliers, and the supplier's other customers, thorugh the use of Dropbox?  Are company documents being stored in an account under the name of another legal entity? 

- Can documents stored on the Cloud be used to enforce your legal rights?

This is about making sure that the documents that you have can be used to enforce your rights.  For example, how do you confirm that the scanned contract was created at the mentioned date?  What happens if someone alleges that they never signed it and it is a forgery? 

Inadequate record keeping or data loss will not necessarily lead to the failure of a business.  However, it will ultimately make life more difficult.  At the end of the day, documents such as cashbooks, invoices and contracts, all increasingly stored in the Cloud, form a key basis of a business.  Their loss can also form the basis of a claim against a director by their company, a liquidator or a regulatory authority.

We therefore recommend that all businesses consider information management and security as a key aspect of their business, in the same way that marketing and accounting, for example, is considered at management level.  Many large businesses have a "Company Information Officer" and/or "Compliance Officer" to complete this.  In smaller businesses, the internal or external company accountant can take on the task.

McDonald Vague is commonly employed by businesses, their advisors and their financiers to provide corporate governance and forensic accounting services, and this is an increasing issue for our clients.  We are happy to provide further advice in this area upon request.

Read 2637 times