No one is certain of all the legal risks associated with enterprises storing confidential or proprietary information outside the corporate firewall -- in the cloud. However, there is growing consensus about what companies should ask cloud vendors to maintain a secure IT environment and avoid potential legal risks associated with the cloud.
General areas of concern surrounding the cloud are similar to those of traditional IT:
- Data security during transmission and storage;
- Data privacy and confidentiality;
- Rights of access in general as well as access for local governments and e-discovery;
- Data ownership;
- Suspension and termination of service;
- Forming and negotiating service-level agreements (SLAs) with cloud providers.
The first question you should consider is whether are you willing to put your company data into an environment where you are not in control of most of the terms of your engagement.
Because many leading cloud vendors are huge entities with an even larger customer base, fine details of an SLA aren’t always negotiable. Often, SLAs are simply forms presented on a “take-it-or-leave-it” basis. As such, the first question you should consider is whether are you willing to put your company data into an environment where you are not in control of most of the terms of your engagement. If you’re not comfortable with this, I recommend you look for a provider that is willing to discuss the terms of service.
Los Angeles city officials were able to negotiate their contract for Google applications in the cloud. But if you’re not the second biggest city in the U.S., you may not be as lucky.
If you’re new to cloud storage, consider prioritizing data storage. Many companies kick off a move into the cloud by migrating non-core data first. This allows them to trial the service and determine if it was cost effective without risking core business functions.
For example, a law firm that is new to cloud computing might decide to place back-office information in the cloud -- payroll, employee benefits -- before moving privileged and confidential client information outside the standard network firewall.
Cloud SLAs and a la carte options
Assuming you have a proposed SLA with a potential cloud vendor that is negotiable and you are ready to place some data in the cloud, there are some additional services you may want to look into before signing on the dotted line:
Request that sensitive data reside in a private cloud. This is a slight misnomer since the purpose of cloud computing is to achieve economies of scale by sharing facilities; however, there may be scenarios in which having a dedicated cloud infrastructure makes sense.
Seek special data encryption. If you have particularly sensitive information, you may want the cloud vendor to provide extra protections. For example, while there seems to be growing understanding that cloud providers are not business associates under HIPAA, this isn’t universally known. You might want the cloud provider to agree to adhere to HIPAA standards, even if they’re not required by law to do so.
Geographic restrictions on where your data is stored. For legal or client-relation purposes, you may not want data stored overseas where law enforcement is not as rigorous or the laws are uncertain.
Unique service levels. If your enterprise has special requirements for data access or use, don’t be afraid to ask the cloud vendor for special service.
Special penalties for violation of agreement terms. If it is it important to you or your customers that there be especially high penalties for violating data privacy, ask for them.
Provisions that would deal with a change in ownership over your cloud provider. The cloud computing market is changing rapidly. You may want to build in a change-in-ownership or non-assignment clause into your SLA. In such a provision, you might also make clear that the cloud provider will never own the data that they hold for you, even if you decide to change providers.
Provision for business continuity in the event of a disaster.You need to know specifically what will happen to your data in the event of an earthquake, tsunami or other natural disaster.
In addition to these terms, you may want to add traditional IT outsourcing contract terms that you’ve grown accustomed to regarding e-discovery functionality and indemnification from breaches, such as the ability to:
- search based on defined criteria -- content, sender and/or recipient, date range and metadata;
- store search results with any metadata;
- add and delete from search results to create an e-discovery set.
Colin J. Zick, Esq., is a partner in the Boston office of Foley Hoag LLP, focused on health care and compliance issues. Zick frequently counsels clients on issues involving information privacy and security. As co-founder of the firm's Data Security and Privacy Practice Group, Zick regularly contributes to its blog.
This was first published in January 2012