On November 10, 2010, the EpsteinBeckerGreen Technology Team hosted a roundtable discussion on the topic "Future of Cloud Computing: Assessing the Utility and Risk" at our New York office. One of the issues addressed at the roundtable was how a company can maintain the security of personnel and other private information regarding employees and its proprietary information if the company utilizes the "cloud" for data processing and storage rather than its own servers.
The consensus of the group – which included guest speakers Allen Ureta, Director of Technodyne LLC's GRC Practice; Michael Wood, Director of Product Management, netForensics, Inc.; and Bill Leroy, Information Security Management and Compliance Evangelist, netForensics, Inc. – was that all companies (large and small) considering the migration of physical data centers to an environment of cloud computing must identify the risks associated with cloud computing, develop proper policies for governance of the system, and implement training programs and controls to protect the integrity of their data. In today's competitive environment, companies go to great lengths to safeguard employee data and business information stored in their in-house computer systems.
The need for system and data security is even greater when companies choose to move data processing and storage into the virtual world of the cloud, where cyber-thieves are constantly looking for ways to sell or use proprietary company information and personal employee data for their own nefarious activities. In addition, companies that are subject to the Sarbanes-Oxley Act ("SOX") and HITECH/HIPAA, as well as companies that are government contractors (particularly to the U.S. Department of Defense), have a greater need to ensure that their data cannot be breached because the penalties for noncompliance are substantial and significant. In addition, numerous states have adopted data-breach laws requiring companies with data systems that are compromised to provide written notice to all individuals whose personal data has been lost, stolen, or disclosed.
Our speakers stated that, before choosing a cloud computing provider, a company must carefully scrutinize the service provider agreement to ensure that the provider can meet the company's specific security needs. The company should not assume that the provider's "form agreement" will suffice. To protect itself, the company should negotiate its own representations and warranties with the provider, paying particular attention to indemnity, "hold harmless," and termination provisions.
In addition, the service provider agreement should address a continuity plan so that a company can retrieve or move its data in the case of a natural or man-made disaster or if the provider goes out of business. Our speakers stressed that many of the cloud providers are located "off shore" – in countries that are not subject to U.S. jurisdiction and regulation. As such, including specific provisions for data retention and access is especially critical in view of both the requirements of the "e-discovery" rules that apply to civil litigation in the United States and the ever-increasing number of state and federal document retention regulations.
The speakers agreed that many of the data breaches are caused by human error (i.e., employee mistakes) or human malfeasance (i.e., departing employees who take proprietary information), and that such breaches can be minimized or avoided by compliance training and system monitoring. In this regard, companies must draft and implement written personnel and IT policies that are clear and easily understandable. In addition, companies should conduct regular training with their employees on company polices and protocols for data storage, use, and dissemination.
These company policies and training efforts must be coupled with rigorous enforcement. Therefore, companies must develop and implement policies and protocols for monitoring employee use of the electronic data systems (i.e., word processing, e-mail, and Internet use). In most states, establishing these policies and protocols is fairly straight forward since employees of private employers do not have a right to privacy in the workplace. However, some states, such as California, provide individual privacy rights to employees that may hamstring an employer's ability to monitor employee use of electronic media. It is recommended that employers consult with their employment counsel before implementing a monitoring policy.
In addition to establishing a system for monitoring employee use of the data systems, companies must actually conduct routine and random monitoring to ensure employee compliance with the data storage, use, and dissemination policy and take disciplinary action against employees who violate the policy. Companies that pay lip service to their own policies and protocols, and turn a blind eye to data leaks and employee negligence or malfeasance, run the risk of litigation, government audits, and damage to their business and reputation.
In sum, any company that has considered, or is considering, migrating its data processing and storage to the cloud must do the following:
- Carefully assess its unique business needs
- Thoroughly vet service providers
- Negotiate a service provider agreement that adequately protects the company's interests
- Weigh the risks of data breaches and loss versus the cost savings of being in the cloud
- Develop written HR and IT policies and protocols for data storage, use, and dissemination
- Implement a proactive monitoring policy
- Adequately train employees and IT personnel on the policies and protocols
- Rigorously enforce the policies and protocols
- Develop a plan for handling security breaches if they occur
Additionally, the company should consult with legal counsel to determine what laws and regulations may impact the decision to move to cloud computing and to ensure that its policies and protocols for data storage, use, and dissemination comply with the applicable laws and regulations.