With the ever-increasing use of the cloud by more and more businesses, there is good reason to be concerned about legal risks, which are an inherent part of the cloud. The term “cloud” may be relatively new, but the concept of remote computing started more than 60 years ago, when Dartmouth University first launched “time-sharing,” as I wrote in a 2011 E-Commerce Times column, entitled “Cloud Computing – New Buzzword, Old Legal Issues.”
The remote computing risks have not abated. In fact, the risks have increased with the Internet, as cloud systems are found in countries around the globe. With a variety of laws covering privacy and data protection, it is not always clear what happens if someone penetrates your cloud and takes your data or credit cards.
The Vagaries of Cloud Contracts
“The cloud” is a very amorphous term, and many cloud providers actually sell the services of other companies. They are effectively cloud brokers, as they have no systems of their own. It is critical that the customer understand which company actually is providing cloud services, and which is a reseller.
For instance, if you purchase your cloud services from a small specialty provider, such as a host for a relatively low-cost ERP system, it is likely that your provider purchases cloud services from a larger company, such as Google, Rackspace or Amazon.
The use of the real cloud host is often spelled out in the “click agreement” you must enter when you accept the cloud service. Unless you review your click agreement, you will not know who is actually providing the cloud, nor the extent to which your data is protected or vulnerable.
The Notorious 9 Cloud Threats
The cloud is not as safe as many people think, as a report from the Cloud Security Alliance explains. The CSA has outlined nine major categories of threats that face cloud technologies that organizations “must weigh … as part of a rigorous risk assessment, to determine which security controls are necessary.”
The CSA’s nine threats to cloud security, ranked in order of severity:
- Data Breaches
- Data Loss
- Account Hijacking
- Insecure APIs
- Denial of Service
- Malicious Insiders
- Abuse of Cloud Services
- Insufficient Due Diligence
- Shared Technology Issues
It’s no surprise that since that report was issued in 2013, things have not improved.
At the end of 2014, CDW issued a white paper entitled “Playbook: Overcoming Cloud Security Concerns,” which explains how to deal with the nine CSA threats and explains the difference between data loss and data breach:”Data loss is sometimes confused with data breach. Unlike a data breach, which always involves an unauthorized party gaining access to sensitive data — an exploitation of confidentiality — data loss simply means that an organization’s data has been deleted or overwritten, a failure of availability.”Because cloud customers apparently do not understand the import of actions of rogue employees, CDW made these important observations about threat No. 6 — Malicious Insiders:”Malicious insiders are authorized personnel — users and administrators — who intentionally violate organizational policy for personal reasons, such as financial gain or revenge. Because they already have access to sensitive data, malicious insiders may readily cause data breaches, data losses and other negative effects. For example, an insider may copy a sensitive database onto a flash drive, then use the information stored on it to commit identity theft.”Given the threat that cloud providers may have malicious insiders, it makes sense to learn what policies the actual cloud provider and any third-party cloud reseller have to ensure they 1) hire and retain trustworthy people; and 2) regularly monitor their systems to make sure that insiders do not cause them — and you — cloud problems.
Cloud Contract Negotiating
There are three important contract terms that companies should incorporate for better cloud protection, suggested a panel of attorneys including Microsoft Assistant General Counsel Mike Yeh, at a recent Advanced Compliance Education Summit meeting of the Association of Corporate Counsel.
Those recommendations reinforce CDW’s comments about threat No. 8 of the nine CSA Threats — Insufficient Due Diligence:”Organizations that are considering the adoption of cloud technologies must fully understand the risks inherent in this step. An enterprise that does not effectively secure its cloud deployment to address the numerous cloud threats faces a significantly increased risk of compromise.”It will come as no surprise that most businesses just agree to the cloud provider’s online click agreement, assuming it is totally a take-it-or-leave-it deal.
The take-it-or-leave-it approach does not work for many companies — especially those that operate around the world, and therefore must be sensitive to compliance with various laws across international borders, notes aLaw360.com report on the ACC discussion.
Following is a discussion of the three contract terms the ACC panel attorneys identified as most important.
Contract Term No. 1: Limit Access to Data
The customer’s data must not be used by the cloud provider, and the cloud contract needs to specifically state that limitation. Similarly, the cloud provider must provide the customer a means to verify that the customer data has not been compromised, and that means the contract needs to include the right to audit (discussed below). For instance, make sure that the cloud provider does not use the customer data for its own purposes for target marketing.[*Correction – May 26, 2015]
Contract Term No. 2: Privacy
Since there are so many different privacy laws around the world, it is critical that the cloud provider specifically specify in the cloud contract how the cloud provider will properly comply. For example, in the U.S., protection of patient records under HIPAA (Health Insurance Portability and Accountability Act) is mandatory, and any entity holding patient records must be sure that the cloud provider is HIPAA-compliant. Having cyberinsurance for possible HIPAA violations may not be enough to protect liability for failure to protect HIPAA data. Also, laws in the EU (1995 Data Directive), Canada, Japan, Australia, and many other places are significantly different than in the U.S., so the cloud provider must allow customers to understand where their data is stored, and be compliant with local requirements.
Contract Term No. 3: Customer Audits
Although audit rights may seem simple and reasonable, many cloud providers do not permit audits, or they create so many roadblocks that no meaningful audits can be conducted. It is critical that before agreeing to a cloud contract, the customer determine whether it has the right to audit — and if not, either negotiate that provision or select a different cloud provider.
Before agreeing to click agreements, cloud customers should seek assistance from an attorney who understands the true legal risks of the cloud. Unfortunately, many businesses want to save some money either by not using a lawyer at all or by engaging one who does not understand the risks.
Entering into a cloud agreement — whether a click agreement or on paper — is as at least as financially risky as any other major agreement a cloud customer may sign, and it should be given at least the same scrutiny.
*ECT News Network editor’s note – May 26, 2015: In our original published version of this article, columnist Peter Vogel recommended that customers “make sure that the cloud provider does use the customer data for its own purposes for target marketing.” What Vogel meant to recommend was that customers “make sure that the cloud provider does NOT use the customer data for its own purposes for target marketing.”