Within the past few years cloud computing has become popular with respect to everyday personal and business productivity. Between email, file sharing, word processing, web chatting and social media, the cloud concept has become integral in creating collaborative and efficient means of accessing and sharing data across multiple platforms. The popularity of cloud computing has transcended these everyday uses and has become a functional and cost effective storage option for businesses lacking the resources to store massive amounts of data.
Cloud computing generally involves some form of subscription-based service where a third party satisfies the computing and storage needs of its subscriber through a virtually unlimited hardware and communication source that can be accessed remotely thorough an internet connection. Typically the most attractive feature of cloud computing for consumers is that it allows subscribers to access their data remotely from multiple electronic platforms. Content is made available via the clouds web based utility so limited storage and hardware capacity becomes irrelevant to the respective device’s functionality. The increase in popularity of netbooks, tablets, and mobile computing can attest to this fact.
As such, the cloud concept is becoming more popular within the business community. Cloud computing allows employees to access sensitive tech information, customer information, insurance records, accounting and business data, etc. from anywhere at anytime. From a productivity and accessibility standpoint cloud computing is invaluable to the traveling business person. In addition to the flexibility of use, businesses find Cloud computing particularly appealing because it can minimize expenses and increase efficiency by lessening or even eliminating on-site disk storage and maintenance requirements.
Under the standard pay-per-use model offered by most Cloud vendors, businesses are able to quickly scale computing power up or down without fear of significant capital losses. From an economic standpoint, this overall increase in productivity and decrease in IT costs can be extremely valuable for companies competing in their respective markets.
Unfortunately there is a potential downside for businesses seeking to utilize a cloud vendor’s services. With sensitive business data now in the control of a third party, several potential business and legal risks come into play. Over the course of this three-part blog series we will address some of the major emerging business and legal issues that can arise with respect to cloud computing and provide recommendations on how to mitigate risks for companies who intend on entering into a cloud service agreement.
Part I of this three part cloud-computing blog series will address some of the potential security and privacy issues of which businesses should be aware when entering into a cloud agreement. This will be followed by Part II which will overview the jurisdictional and cloud-service provider rights in subscriber data. The third and final installment of the blog series “ Part III “ will look to the conclusion of the cloud-computing agreement, most specifically what should be done at the outset of the agreement to ensure that the ultimate termination of the agreement is as smooth and problem-free as possible. It is our hope that upon reading this series, businesses will have a basic but strong idea of how to negotiate and properly draft a cloud-service agreement to protect themselves and their customers from the legal and business risks associated with entering into a cloud contract.
Security & Privacy Issues and Solutions
Privacy protection and security of cloud data is one of the biggest concerns with utilizing cloud features. Maintaining significant safeguards on sensitive data is one of the foremost priorities of any popular cloud vender. However, it is difficult to completely guarantee the safety of a customer’s data. Information stored by the vendor may have weaker privacy protections than what the creator of the information provides.
For example, in a 2009 Federal Trade Commission complaint by the Electronic Privacy Information Center (“EPIC”) regarding Google, Inc.’s (“Google”) cloud-based services, EPIC claimed that Google failed to adequately safeguard its users confidential information While claiming to users that their data would be secure and private, Google’s terms of service policy explicitly disavowed any warranty or any liability for harm that could result from its negligence to protect the privacy and security of user data.
Fortunately for businesses, an increasing amount of cloud-based service providers are providing customized data management services that require negotiation with respect to the terms of their cloud agreements. Businesses that are potential cloud computing subscribers (“Subscribers”) are encouraged to carefully negotiate their prospective cloud service transaction so as to ensure high-level privacy and security. In the following paragraphs we will discuss some considerations when negotiating the transaction.
1. Structure the Cloud Computing Agreement to Mitigate Risks
a. Limitation of Liability and Professional Liability Insurance
Subscribers should attempt to structure the agreement to make the cloud service provider primarily responsible for data security risks. To whatever extent responsibility is not transferred to the vendor, the Subscriber should then transfer personal risk to a professional liability carrier. Subscribers are advised to structure limitations of liability sections carefully, and indemnity and insurance provisions properly. By doing so both vendor and customer can effectively balance possible data and security risk.
b. Require Vendor to Provide Documentation of its Security Policy
Subscribers should also, as part of its cloud agreement, require the vendor to provide significant documentation of its security procedures in a Statement on Auditing Standards No. 70 Audit (“SAS70 Audit”) or updated Statement on Standards for Attestation Engagements (“SSAE16 Audit”) (collectively “Security Audits”). The American Institute of Certified Public Accounts developed the SSAE16 Audit and its predecessor the SAS70 Audit to ensure that service providers demonstrate that they have adequate control and safeguards in place when they host or process data belonging to their customers. These audits provide an authoritative and uniform format for vendors to report this information, and should be negotiated into a prospective cloud agreement between the Subscriber and Cloud service provider.
c. Incident Response System in the Event of Breach
In the event that a cloud provider suffers a security breach, an effective response plan should be in place. The terms of the agreement should require the cloud-service provider to promptly notify all parties that may be affected by the breach. Terms should be written into the agreement that further require the cloud-service provider to coordinate and assist customers with the investigation mitigation and containment of the breach. It may be beneficial for Subscribers to also reserve the right to conduct their own forensic assessment and investigation of the breach. Issues regarding terminating and limiting data access will be discussed in further detail in the upcoming entry, but with respect to data security, data preservation, and substantive defense issues it is crucial that both Subscriber and cloud-service provider are both in agreement as to what responsive action will be taken in response to a security breach.
In the next installment of the cloud-computing blog series, we will discuss some of the Jurisdictional issues that may occur with respect to the trans-border flow of data in a cloud environment. We will also discuss what rights the Cloud-Service provider has in the customer data it manages.