Cloud Control

Although cloud computing may offer cost reductions and other benefits to companies, users must ensure that “they have rigorous risk management processes in place to avoid potentially harmful data breaches.”  Outsourcing software hosting to third party servers accessed through the internet can drastically reduce a company’s IT infrastructure. 

However, the “lack of certainty about where the data is stored and how it is protected can spark legal challenges, experts say.”  Cloud computing services “often store data on multiple servers in different countries.  Should there be a breach, a company could be subject to the laws of the country where the data is physically stored.”

Data privacy laws vary greatly.  In the U.S. there is no single comprehensive data privacy law, though several federal laws contain provisions about data privacy.  In addition various states have their own privacy laws.  Currently there are at least five bills pending in congress which would affect data privacy.

Companies that wish to utilize cloud computing should consider what data will be stored “in the cloud” and ensure that certain types of data are encrypted.  They must make sure that privacy policies are thorough.

“A crucial factor in any cloud computing arrangement is the contract with the provider.”  Unfortunately for some, by the time a problem was discovered the data was gone and it was too late to do anything about it.  Companies should find out “where will the data be stored; what kind of security safeguards will the cloud computer provider apply to the data; what limitations of liability is the cloud company imposing on the transaction; and whether or not the cloud computing company will indemnify the organization, and if so, in what circumstances.”

Other contract provisions should address what happens if there is a disaster that destroys the cloud provider’s facility.  Do they have an obligation to back up and reproduce your data?  What happens if they file for bankruptcy and shut down their servers?  Or if another company engaged in illegal activities shares your server would your data be turned over to authorities as well?

Companies should have Cyber Liability insurance even if the cloud provider has a policy in place.  If data is lost, clients most likely will hold the company responsible.  Let us know if you want to investigate this coverage for your business.

From Business Insurance, May 23, 2011 issue, pp. 4 and 21.  Also from Business Insurance, June 6, 2011 issue, pp. 18-21.