In our last blog post, we discussed the risks associated with cloud technology. Here, we will examine the best practices in cloud risk mitigation.
Due Diligence. Perhaps the most important step in implementing cloud technology is choosing the best service provider to fit your company’s needs. Choosing a provider involves many different business considerations, and is not a decision that should be made by any one department or individual. Cloud implementation teams that include members from IT, legal, business and finance, and risk and procurement are best suited to tackle the complexities of these services. A cloud implementation team should create a request for proposal (RFP) that details the needs of the business. This document should be sent to service providers as part of a competitive bidding process. Background checks should be performed on each service provider to evaluate their financial stability, compliance with applicable law, security infrastructure and policies, customer reviews, and solvency.
A Negotiated Services Agreement. Many businesses assume that along with the transfer of their data, they have also transferred their risk to the cloud provider, but absent a clear agreement that shifts liability to the provider, this is untrue. The ideal cloud service provider should be willing to negotiate the conditions of your service level agreement (SLA) to fit your business’ needs. Vital components of any SLA include: a disaster recovery plan, allocation of liability, data encryption policy, limits on system downtime, termination policy, and indemnification for breach or interruption. Setting out the costs of implementation, maintenance, and ongoing cost for personnel and software at this point in the negotiation will ensure the financial longevity of a business’ cloud use. Once you have narrowed down your potential providers, a demonstration or an evaluation period can offer substantial insight into the provider’s capabilities. It is also important to consider: term-of-use commitments, fee increases, data ownership rights, audit rights, and transition services.
Insurance. Businesses should confirm that their own insurance policies cover cyber-related events; if they do not, obtaining a separate cyber insurance policy is a best practice. Such policies should clearly state the scope (e.g. geographic or otherwise) of coverage and define critical terms like “computer system” and “network”. Deductibles, claim limits, and indemnification exclusions should also be carefully considered. Just as in your SLA, it is critical to understand who bears the risk of a data breach under your insurance policy.
Getting Help. The degree of security necessary for any cloud service will depend on the nature of the information that will be held in the cloud. Many companies who deal in sensitive information or are in a heavily-regulated industry choose to employ cloud brokers to guide them through the RFP process and outside counsel to assist in the detailed negotiation of the Service Agreement.
If you have any questions regarding Cloud Computing, please contact this author or a member of Polsinelli’s Privacy and Data Security team.