By Robert J. Scott, Managing Partner, Scott & Scott, LLP
Businesses are focusing on the potential cost savings, profits and agility to be found in the cloud. Cloud contracts expose both the client and the service provider to risks not present in more traditional technology service or software transactions. The transformation from on-premises software deployments to cloud based models hg as widespread implication for data privacy, security, and regulatory compliance.
On January 27th, I will share suggestions on how each party can mitigate, balance or transfer the privacy and security risks in cloud computing in a free webinar Cloud Contracts to Minimize Risk.
Entering into cloud computing contracts without understanding the inherent risks associated with cloud services should be addressed through proper contracting and risk transfer using insurance.
Data Privacy and Security Risks for Cloud Computing Users
The biggest issues with respect to cloud computing are data privacy and security risks. The loss of personally identifiable customer, financial, or health care information can be catastrophic to a business. Related to these concerns are IP and data ownership issues, the right to use data, jurisdiction of stored data and compliance with local law, rights to the data at termination of a contract, and the availability of monetary or other remedies in the event there is a data breach. Before outsourcing application hosting and data storage to a cloud vendor, a customer must be comfortable that the vendor’s platform is secure and that the terms of service protect the customer if things do not go as planned.
The main risk that users face when they place their data and applications on centralized servers in a cloud computing environment arises from the loss of physical control of the data. Once data is out of the users’ hands and in the hands of another party, all of the issues identified above become risk points for the user. The customer has a non-delegable duty to safeguard their customer information. In cloud contracts, end-users entrust this duty to safeguard the privacy and security of their data to the cloud provider while still remaining legally responsible for any losses that occur during the term of the contract.
The four main categories of risk in cloud computing are: business continuity risks, regulatory compliance risks, intellectual property risks, and liability risks.
The two important steps to take before entering into any cloud computing agreement is to identify the risks listed above to determine the client’s comfort level with respect to each and begin the discussion of risk balancing early in the negotiation. Lengthy, unsuccessful negotiations can be avoided if each side is clear as to their “deal-breakers” with respect to these risks up front.
Cloud service providers should understand the industry regulatory requirements of their customers, encrypt data in motion and in storage, and include cyber risk insurance. Service level agreements should include indemnity provisions.
For webinar details, click here.