In the beginning, when cloud computing was all about public cloud services, many finance chiefs held back because of their concerns about the safety and security of their valuable and sensitive corporate data. But things change - well, some things.
Putting it in the hands of a third party - outside the firewall, on multi-tenant boxes - emerged as a security risk too far in survey after survey, despite widespread awareness of the cloud's potential to deliver business benefits, cost savings and strategic opportunities.
The cloud has evolved. Public clouds have been joined by private clouds, and hybrid clouds, and other variations on the theme, and use of them is increasing.
However, finance chiefs remain cautious. When a recent Deloitte survey found half of CFOs using cloud computing or planning to within two years, a whopping 89 percent were, perhaps understandably, still citing data security as their main reason for holding back. Meanwhile, uncertainty about the location of data concerned just 44 percent, and legal issues 40 percent - and this may need to change.
"This is a complicated area," says Alistair Maughan, a partner at the international law firm Morrison Foerster.
The explosion in cloud computing has increased use of third party service providers, and some of them in turn use other third party providers to host and backup data, so its physical location can be hard to pin down (a problem), as can the legislation that applies to it and the jurisdictions in which this can apply (another problem).
"Generally speaking, the law that's applicable is the law of the country where the data controller is located," says Maughan; but there are some exceptions (yet another problem).
"There was controversy earlier this year when India issued rules that seemed to suggest that Indian law would apply to data processed by Indian providers on behalf of Western customers," he says.
Many cloud service providers and legal experts worried that this would result in additional (and more restrictive) rules, on top of the national laws that already apply to personal data that is transferred offshore from the UK, EU or US.
Ignorance is no defence
"The Indian government has since clarified that this is not its intent," Maughan says, but adds that China and the Philippines are among other countries that are currently developing their own data privacy laws, so CFOs will need to monitor developments.
The UK Data Protection Act 1988 (based on the EU Data Protection Directive 1995) has been around in one shape or another for quite some time, so awareness is high among affected organisations. But the Act's stipulation that personal data should not be transferred to a country or territory outside the European Economic Area - unless that country provides an adequate level of protection - isn't always factored in to the decision-making process where cloud-based services are concerned.
Sign up for CIO Asia eNewsletters.