As the world becomes more digitally interconnected, businesses are increasingly vulnerable to cyber threats. Here, cybersecurity and privacy expert Charlotte Tschider, who teaches in Mitchell Hamline School of Law’s online certificate program in cybersecurity and privacy law, discusses the special risks associated with storing data in the cloud and recommends specific contractual safeguards.
For company leaders in need of affordable options to store growing amounts of data, cloud computing presents an intriguing option. However, organizations, especially those that store and share information globally, need to exercise caution when contracting for secure cloud services.
According to a 2016 McAfee study, global organizations are expected to spend 80 percent of their IT budgets on cloud computing services within the next 16 months, but only 13 percent of respondents completely trusted public cloud providers with sensitive personal data, such as health, financial, travel or employee data.
Although trusting cloud services with sensitive personal data presents the same risk potentially introduced any time an organization uses third-party vendors, cloud service providers present unique exposure to online threats. Some providers, for example, have insufficient security controls in place, exposing data to malicious external attacks or data breaches.
Creating a Contract
Standard contractual language is critical for companies to control third-party management of cloud computing and gather useful intel about a third party’s security practices. A corporation’s legal team should work with the company’s information privacy and security professionals to review contract language and identify appropriate requirements, including external audit or certification expectations. Clear contractual terms should communicate the expectations of the cloud service provider and their sub-contractors. Those terms should also address financial solvency requirements, the organization’s ability to periodically assess or audit a provider and cyberliability insurance minimums.
The most important items to include in your agreement are data-breach liability terms, which specify who is responsible for costs in the event of a data breach, as these can cost millions of dollars for large breaches and may not be covered by your own cyberliability insurance.
Organizations storing the personal information of consumers, patients, or employees should consider including privacy terms in a cloud-services agreement as well. That’s especially important if personal information covers non-U.S. citizens in Canada, Latin America region, Asia Pacific region and European countries within and outside the EU. Personal information includes a wide variety of data types, including types an organization might not immediately consider, such as IP addresses, mobile identifiers, biometric data, or a person’s image. It is critical to work with a qualified privacy professional or legal counsel to determine which, if any, privacy laws apply to your cloud implementation.
Organizations should strongly consider developing standard language when working with any third party, especially cloud service providers. With growing cloud service adoption and increased awareness of the financial repercussions of poor security, every organization has an opportunity to effectively manage third-party risk, at least in part, through strong contractual terms.