- Cloud Computing: Protecting Your Company's Data Against a Rainy Day
- May 6, 2010
- Law Firm: Troutman Sanders LLP - Atlanta Office
No doubt you have heard about “cloud computing.” It’s actually not new to the technology world. The fundamentals have been around for a long time. We used to talk about “WANs” (wide-area-networks), and then “distributed networking.” We’ve been working with ASP (application service provider) technology or SaaS (Software as a Service) for years. But, 10 years ago, there wasn’t even enough of this activity to qualify as “high humidity,” much less a cloud. What has really changed is that, with the advent of social media, ordinary consumers are using SaaS technology, and the rain droplets are so numerous that they have formed a cloud -referring to millions (nearing billions) of “molecules” that are all now linked together, rather mysteriously, and just hanging together out there in the ether. It’s not a perfect metaphor, but it will do.
Today, more and more businesses are also outsourcing basic business functions to a cloud computing environment - just using the services they need, when they need them, without all of the investment in hardware, bandwidth, storage, and permanent personnel. But, cloud computing agreements can be very complex, and any service agreement with cloud vendors may well leave you feeling like your organization is merely floating along, untethered to anything you can count on. So, companies looking to use these services should take reasonable steps to protect their interests and assets.
Depending on transaction size, cloud vendors may allow a company to negotiate a tailored contract, rather than use a standard form agreement. But, because “ease of use” is the premium offering of cloud computing, many vendors just won’t budge from their forms. Companies looking to enter into a relationship with a cloud vendor, therefore, should understand the limitations and assess the risks of such agreements. Some common issues to consider include: How are the service fee provisions structured? What are the standards of service to which the vendor will be held (usually included in the Service Level Agreement, or SLA)? Where and how is sensitive data stored? What security protocols does the vendor employ to keep data safe? What does the agreement say about a data breach? What is the vendor’s responsibility if a data breach occurs? What happens if litigation arises? What happens when the agreement ends?
Like with any data vendor, the risk of a security breach is always present. As we have argued many times in other Advisories, data breaches are not “if” scenarios but rather are “when” scenarios. Although cloud vendors often store or process their clients’ customer or employee data, most data breach laws place ultimate responsibility for data breaches on the data owner. Having a breach plan that addresses the responsibilities of each party in the event of a breach is highly recommended. Contractually shifting risk, where possible, is also something to think about. Indemnification is an option, and insurance should also definitely be considered.
One thing is for sure - the cloud is only going to get bigger. As the cloud grows, so should your sensitivity to the need for careful attention to the terms of any vendor agreement and the treatment of any potentially vulnerable consumer or employee data. As with any cloud, the one you are using will eventually produce some rain. You should make sure you’re ready.