Cloud computing is here to stay and will continue to change the way companies store data.
Because your company will be charged only for the space you need and use, the option may be an attractive way to save money. However, before making what may seem to be a cost effective decision there are many factors to consider.
Security: By using cloud computing are you just asking for a security problem. The first step your company must take is to look for a reputable vendor. Can they maintain the necessary staff and equipment capable of monitoring for intrusions and attempted breaches, and to continually upgrade their hardware, software and firewalls?
Financial Viability: Perform credit and reference checks, especially if the data you store in the cloud is critically important for your business. Ask for a representation in the contract that the vendor owns, not leases, the equipment on which your data will be stored, and that no creditor of the vendor has the right to seize that equipment.
Contract Requirements: While no one can guarantee 100% availability of your data or software, your contract should include a service levels agreement regarding the environment, data availability, and announcements of scheduled maintenance. If the contract establishes a low threshold, the vendor may not be as concerned as you are with maintaining higher standards. You should also retain the right to terminate the contract if the service levels are breached repeatedly.
The contract should also require the vendor to supply a copy of their Statement on Standards for Attestation Engagements (SSAE) 16 audit, and require them to furnish a copy to you each year.
Equally important is the need to protect your data from outside intrusions. The contract should include a provision that prohibits the cloud vendor from using or disclosing your data and other confidential information and intellectual property. Any agreement that transfers data or software off-site must clearly protect the confidential and intellectual property rights of both parties. Ask for a provision assuring that if the vendor is served with any subpoena, warrant, national security letter, or similar process, it will provide you with immediate notice and will withhold compliance until the last date permitted by law – which then allows you to seek protection from an appropriate court.
Finally you need to pay special attention to which law may apply to the agreement and to complicate matters, some cloud vendors cannot or will not tell you where your data is stored. If your type of businesses is required by law or regulation to have the ability to audit the physical security of the servers that house your data, you need to ask for a representation of the location of their servers and an agreement that you may have physical access to their premises.
Depending on your business, you may also need to ask for a provision that forbids the vendor from moving the data, or at least forbids it from moving your data or software across jurisdictional borders.
Insurance: You are entering into a business agreement with risk. Review your company’s insurance policy to see whether you are covered if your data is lost or its security breached.
Finally you also should maintain your own back-up and disaster recovery systems and always avoid storing your only copy of the information or software in the cloud.
Before entering into an agreement with a cloud computing vendor, you should carefully vet the potential vendor, review all relevant data security regulations, and make sure your contract(s) maximize your protection.
If you have any questions or would like additional information on this issue or other corporate challenges, please contact Paul D. Creme.
Paul D. Creme is an attorney with Hamblett & Kerrigan PA. His practice is focused on business and corporate law. Of particular interest are the areas of software and emerging technologies. You can reach Attorney Creme at [email protected].