The success of a cloud computing arrangement depends in great parts on the extent to which the client has understood the risks that it was taking and has selected accordingly the types of data that could be hosted in the cloud. As privacy and security counsel to a business, we ensure that our client understands these risks.
Cloud computing involves very complex legal issues because the technical setting used for hosting and processing data in a cloud is itself also very complex. While cloud computing offers financial benefits and ease of use, it presents significant data privacy and security challenges.
- The fluidity and flexibility of the cloud environment allows for ease of access, ease of transmission, and ease of processing. This flexibility, in turn, creates significant risks for the privacy and security of the data being stored or processed in the cloud;
- In many cases, the company will want to transfer to the cloud personal data about its customers or employees, such as financial, medical, payroll or benefits information, and purchasing histories. The handling of these data is often regulated by law. Among other requirements, these data must be protected through written contracts that require appropriate security measures;
- At any given time, the client may have little control over the location where its data are stored. If adequate restrictions have not been addressed in advance, the cloud service provider may move its client’s data abroad, which may violate certain data protection laws;
- If the data are hosted in a country that does not have a robust data protection regime, or where the government has extensive powers to access computer systems, the data may be at risk. There may be unauthorized or unwanted access to the data against which the client could do little.
A company that intends to use cloud computing services should carefully review the related terms of service. Conducting adequate due diligence before entering into a contract, building frequent audit and reporting structures, and supplementing the contract with specific policies and procedures will help reduce the exposure to data loss or compromise.
As founding members of the Cloud Security Alliance, we have been at the forefront of the legal analysis of cloud computing arrangements. We have addressed a wide range of issues involved in cloud computing, from advising on privacy and security, risk management and compliance issues, to structuring and negotiating contracts. We have handled all aspects of these and similar service agreements, represented vendors and clients, and negotiated numerous high stakes transactions.
We can assist businesses in:
- Performing due diligence before entering into a contract;
- Reviewing and evaluating a proposed cloud services agreement;
- Assessing the legal risks;
- Clarifying the numerous aspects of the services to be performed, and their effect on the protection of personal data;
- Counseling on data privacy and security compliance requirements;
- Structuring and negotiating service-level agreements, data use agreements, and data transfer agreements;
- Ensuring that appropriate data privacy and security protections are built in the contracts.