A code of practice is being prepared for the biggest electronic challenge that has faced small and medium enterprises in 15 years - cloud computing.

The change in the way of working - in which companies hand over the running of systems to outside providers, often overseas - comes loaded with risks and privacy breaches are frequent.

Industry players gathered in Wellington last week to start to come up with a self-regulatory code to give reassurance to customers.

Privacy commissioner Marie Shroff described cloud computing as the new wave of the digital revolution. "It's an immature industry but it's so big and significant that we wanted to get ahead and see what was happening and what steps people were taking to deal with the risks."


She said working in a cloud was attractive to SMEs because it could save money. But unlike big businesses, they couldn't afford their own private cloud, so the risks were greater.

A survey of 50 businesses and government agencies carried out by the commission in May showed the decision to use a cloud service was often made on an ad-hoc basis and users had a "patchy" understanding of what to do before signing up.

Results showed a large number of businesses sent information overseas without checking the owner's use and management of the information.

Shroff said the danger was putting all the business data and personal information of clients in a cloud without having good controls or knowing where it was.

"A significant number wouldn't take the risk. They were conscious of the branding and customer-trust damage they could do by going unconsciously into the cloud."

She said the hacking of Sony's customer credit card details this year and Ticketek's inadvertent release of customer details in 2008 were examples.

Shroff said it was important to note where information was stored, as different countries had different rules.

Australia, Canada and Hong Kong have similar levels of protection to that of New Zealand and the EU has higher levels.


In the United States, the onus is on customers to protect themselves.

Computer Society chief executive Paul Matthews said the Christchurch earthquake and subsequent blackouts in some systems had encouraged many to consider using clouds.

The Kings Education language school in the CTV building was unable to contact family members of students who had died, and email at Christchurch Polytech was out for several weeks because the systems went down.

Matthews said that for those who changed, privacy breaches as a result of lax security were now a daily occurrence and a code would address the problem before it became a major issue.

As well as using cloud computing, New Zealand was gaining a reputation as a provider. "Without standards and accountability within the industry, this reputation is in danger."

The chief executive of Kiwi cloud accounting software firm Xero, Rod Drury, has 185,000 users in more than 100 countries and said cloud computing was the biggest change in SME technology in the past 15 years. "The risk is we could get cowboys that slow the industry down."

The scope of the code is being finalised and could range from basic disclosure requirements to comprehensive requirements including auditing and assessment.

What is cloud computing

Cloud computing allows software to be located elsewhere. It is managed and delivered as a service through a web browser, usually with a monthly licence fee.

Questions to ask providers:
* Where is it based?

* How secure is it?

* Who will have access to the information?

* How long will the information be kept?

* Can it be destroyed?

* What's the risk management around it?

* Can the information be corrected?

* What third parties will have access?

* Can you give customers the reassurance they deserve?