Cloud computing services are fast becoming popular vehicles for businesses to use in managing information due to their speed and appealing cost structure. Yet companies must remain mindful of information management issues in conjunction with potential legal ramifications when considering cloud computing.
The importance of spelling out duties and obligations in cloud computing service contracts has taken on added significance given recent news of data breaches. For example, many companies including Walgreens, Target and Citibank have made headlines when hackers have gained unauthorized access to consumer information and in so doing brought the need for tighter controls on information security into focus.
No company wants to notify its customers that their email addresses or account information has been accessed by unauthorized third parties, which makes the consumers vulnerable to scams and identity theft. In addition to causing customer service problems, such breaches could lead to liability for damages resulting from the company’s failure to properly secure its information. To guard against these risks, it is imperative that companies do their best to ensure their information is protected from unauthorized access, including information that is stored by a cloud service provider (CSP). Much in the way that hard copy information is secured in a locked file cabinet or a secure warehouse, information in the clouds needs to be secure.
A business considering contracting for cloud computing services with a CSP should take care to fully understand the CSP’s practices, policies and track record related to managing and protecting information. Critical to any company’s cloud computing contract is understanding how its data travels and where it actually resides, as well as its compatibility with the company’s current systems. Contracts with CSPs, often referred to as Service Level Agreements (SLA), include details aimed at important issues such as information ownership, privilege, confidentiality and performance. At the outset, a company must determine which types of information will be stored in the clouds and whether the information will be placed in a private or shared cloud, or a combination of both.
Because cloud computing relies upon a third party for data services provided via the Internet, it is critical that a company ensure that its contract with a CSP includes, among other terms, the following:
Ownership – Data Possession, Custody, Control and Access: The contract should specify the company’s ownership of its data and the company’s right to access data on demand.
Service Requirements: The contract should detail service requirements, including but not limited to, the CSP’s operational controls, business practices, reliability, functionality, warranties, performance and staff requirements.
Audit and Inspection Rights: The company should specify its right to audit and inspect the CSP’s facilities and equipment which stores the company’s data.
Security and Privacy Protections: To protect against issues that could arise from security breaches, the contract should clearly establish the security measures and privacy protections that the CSP will provide.
Vendor or Subcontractor Relationships: The contract should examine the manner in which vendors and subcontractors may be used by the CSP to outsource certain functions and ensure they are bound to the same obligations as the CSP.
Backups of Data, Crisis Management and Disaster Recovery: The contract should address restoration obligations as well as the CSP’s capabilities to meet these obligations.
Pricing: The company should negotiate price caps or otherwise build in pricing controls.
Insurance Considerations: In addition to standard errors and omission insurance, the company should consider whether the company or the CSP should maintain cyber-insurance.
Indemnification for Losses Caused by the CSP: The contract should include a defense, indemnity and hold harmless provision to protect against issues which include, but are not limited to, legal holds and sanctions which could arise from the CSP’s failure to properly preserve information.
Jurisdiction of Disputes - Location of Data: The contract should address the location of the CSP’s data centers as the location may affect issues relating to service of subpoenas, privacy laws, storage of personal and financial information, export control laws and the cross-border flow of data. The contract should also include provisions on venue and jurisdiction.
Termination Rights and Disposition of Data: The contract should address termination rights, what will happen to stored data at the conclusion of the agreement and the format in which the data will be returned to the company or its designee.
Cloud Computing and Litigation: Should litigation arise that requires the company to engage in preservation, search and/or production of data stored by the CSP, it is imperative that accommodations for eDiscovery are included in the contract. The contract terms, at a minimum, should establish the company’s sole and absolute ownership and control over the data, the ability to apply search terms and the capacity to undertake preservation as necessary by custodian.
The contract should also address the CSP’s ability to document and report upon chain of custody and collection to assist with discovery and evidentiary concerns. In addition, the contract should specify the processes and procedures that will be followed should the CSP be served with a subpoena or some other form of legal request for the company’s information.
Any business considering entering into a cloud computing contract needs to weigh the risks against the benefits and proceed accordingly, as liability and business interruption issues can and do arise. Engaging in cloud computing may be a risk worth taking as long as the company examines and carefully documents issues critically important to its business.