BakerHostetler’s inaugural Data Security Incident Response Report (the “Report”) concluded that employee negligence and theft were two of the top five causes of data security incidents for the more than 200 incidents that we handled in 2014. Needless to say, this raises some important and concerning questions when it comes to the cloud. We note in the Report that companies cannot eradicate security risk solely through the use of better technology. This bumps up against the common claim of cloud service providers that they are better suited to provide technological security controls than many organizations, even large Fortune 500 companies. This may be true, but it cannot avoid the human element. Human beings ultimately operate those technological controls, and human beings are imperfect. And while an enterprise may not have the best security, it does have the internal ability to vet its employees – but transparency is lacking with respect to the employees of cloud service providers.
The problem can be boiled down to this:
- If I am an enterprise customer and my cloud provider disclaims all liability or indemnification obligations for data security breaches except those resulting from the provider’s own willful misconduct or gross negligence, how can my company protect itself from plain old negligence (not just willful misconduct or gross negligence) of employees of the cloud provider?
- If I am a cloud service provider, how can I agree to accept unlimited liability for the mere negligence or wrongful conduct of employees and still provide cloud services at a low price point to thousands of enterprise customers?
What can be done to mitigate risk in this scenario? Following are some potential considerations for customers and providers alike:
- Background checks. Can they be done legally? The laws in many states and municipalities are changing. Most recently, New York City Mayor Bill de Blasio signed a bill, taking effect on September 3, 2015, that amends the city’s Human Rights Law to prohibit most employers from inquiring into or considering a prospective or current employee’s credit history when making employment decisions, with specific exceptions. Consider whether the contract with a cloud service provider should require background checks, where allowed by law, of all employees with access to sensitive data such as personally identifiable information.
- Is information security training required for employees and contractors with access to sensitive data? How frequently? This should be built into due diligence, if not the contract itself.
- Where’s the WISP? Don’t overlook the value of a written information security program. What does it say? Even if the cloud service provider cannot turn over its internal WISP for security reasons, it should be able to provide a customer with a summary that contains sufficient information to determine what controls are in place to mitigate the risk of human error. And Massachusetts’ information security regulations, 201 CMR 17.00 et seq., require that all organizations that own or license personal information about a Massachusetts resident have a WISP in place (even if not highly regulated like financial institutions under the Gramm-Leach-Bliley Act).
- Pushing accountability down the chain. Taking responsibility for subcontractors and suppliers is a step in the right direction for customers and providers alike. Everyone in the chain should take responsibility for vetting security preparedness up, down, and sideways. Some regulatory structures build this into the legal mandates (for example, the Business Associate security requirements under the Health Information Portability and Accountability Act). Even where not strictly required by law, this evaluation of subcontractor and supplier security controls and ability to provide recourse in the event of an incident should be part of every RFP, due diligence, and contracting process.
- Scope of indemnification and reimbursement obligations. The parties should always discuss and consider indemnification and reimbursement obligations tied to more than just willful misconduct and gross negligence. Breach of contractual obligations/representations and warranties (including specific security requirements) to reach beyond purely intentional wrongdoing may be one potential approach. For cloud service providers, offering these kinds of remedies in the event of an incident can be a competitive differentiator as well.
- Cyber insurance. Does the customer have it? The cloud service provider? This may be the most critical line of defense in mitigating risk.
Needless to say, there is no magic bullet. However, customers and providers can take the foregoing steps as part of an information governance program to help mitigate the risks of human foibles in the cloud.